Categorization of Problem Areas

The problem areas of an AAA implementation on a switch may be categorized as follows:

• Switch management troubleshooting

• Identity-based Network Services (IBNSs) troubleshooting

Switch Management Troubleshooting

TACACS+ Protocol is more desirable for configuring AAA for switch management, although RADIUS and Kerberos are the other two options available. The local user database is primarily used for console authentication or as a fall-back method for Telnet or SSH access to the switch. The primary focus of this section is on configuring and troubleshooting AAA implementation using TACACS+ along with the local user database.

Table 11-3 shows AAA features introduced on different versions of the switch code.

Login Authentication

This section steps through the configuration and discusses some of the common issues that you may encounter, and how to troubleshoot them.

Configuration Steps

To configure AAA authentication, perform the following tasks:

Switch> (enable) set localuser user admin password powerpass privilege 15 Switch> (enable) set localuser user basic password nonenable 

Switch> (enable) set authentication login local enable Switch> (enable) show aaa authentication Switch> (enable) 

Switch> (enable) set tacacs server 10.1.1.40 Switch> (enable) set tacacs key cisco Switch> (enable) 

Switch> (enable) set authentication login tacacs enable Switch> (enable) 

Troubleshooting Steps

Troubleshooting authentication needs to be done on both switches, and on the TACACS+ server side. It is, however, recommended to troubleshoot the AAA issue for the switch with the CS ACS server itself. You can turn on debug with the set trace tacacs 4 on the switch. It is worth examining a successful authentication debug on the switch before you go through some of the common issues that you may encounter. Example 11-15 walks through the debug output on the switch.

Example 11-15. The debug Output for Successful User Authentication with TACACS+ protocol

Switch> (enable) set trace tacacs 4 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:08.510 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=224470576 ! Opening connection with tacacs+ server TAC+: Opening TCP/IP connection to 10.1.1.40 TAC+: ver=192 id=224470576 received AUTHEN status = GETUSER2005 Mar 26 22:10:09. 520 ! Getting username input from the user AAA/AUTHEN (224470576): status = GETUSER User Access Verification Username: 2005 Mar 26 22:10:16.590 ! Got the username administrator AAA/AUTHEN: update_user user='administrator' ruser='(null)' port='telnet146' rem _addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:16.590 AAA/AUTHEN/CONT (224470576): continue_login2005 Mar 26 22:10:16.590 AAA/AUTHEN (224470576): status = GETUSER TAC+: send AUTHEN/CONT packet id=224470576 ! Here asking for the password TAC+: ver=192 id=224470576 received AUTHEN status = GETPASS 2005 Mar 26 22:10:17.090 AAA/AUTHEN (224470576): status = GETPASSPassword: 2005 Mar 26 22:10:19.980 AAA/AUTHEN/CONT (224470576): continue_login 2005 Mar 26 22:10:19.980 AAA/AUTHEN (224470576): status = GETPASS TAC+: send AUTHEN/CONT packet id=224470576 ! Here shows authentication successful TAC+: ver=192 id=224470576 received AUTHEN status = PASS 2005 Mar 26 22:10:20.480 AAA/AUTHEN (224470576): status = PASS Switch> (enable) 

Now take a look at some of the common problems you may encounter with the TACACS+ authentication.

• TACACS+ server is unreachable or mismatch in the shared secret key If the TACACS+ server is unreachable or the shared secret key is mismatched between the TACACS+ server and the switch, an error message will be reported, as in Example 11-16. If an alternate method (for example, local user database) is configured as a backup method, the switch will try to authenticate the user with the backup method.

  Example 11-16. The ERROR Message When TACACS+ Server Is Unreachable

  2005 Mar 29 15:29:22.430 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.25. 35.229' authen_type=1 service=LOGIN priv=12005 Mar 29 15:29:22.430 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=340001563 TAC+: no tacacs server definedTACACS: Unable to contact Server !The following line shows the ERROR message when TACACS+ server is unreachable 2005 Mar 29 15:29:22.430 AAA/AUTHEN (340001563): status = ERROR 2005 Mar 29 15:29:22.430 AAA/AUTHEN/START (340001563): failed to authenticate 2005 Mar 29 15:29:22.430 %AAA: enable: Internal error. Trying Local Login Authentication

• Bad Username or Password If the username or password is invalid, then authentication will fail. This is different than an error message, as we have seen earlier. For example, as with bad username or password, the backup method is not tried. Example 11-17 shows the debug output for a bad username or password authentication.

  Example 11-17. Debug Output for AAA When Bad Username or Password Is Entered

  2005 Mar 29 15:39:14.490 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=1 2005 Mar 29 15:39:14.490 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=599265646 TAC+: Opening TCP/IP connection to 10.1.1.40 TAC+: ver=192 id=599265646 received AUTHEN status = GETUSER 2005 Mar 29 15:39:15.490 AAA/AUTHEN (599265646): status = GETUSER User Access Verification Username: 2005 Mar 29 15:39:17.800 AAA/AUTHEN: update_user user='admin123' ruser='(null)' port='telnet146' rem_addr='10.25.35.229' authen_type=1 service=LOGIN priv=1 2005 Mar 29 15:39:17.800 AAA/AUTHEN/CONT (599265646): continue_login 2005 Mar 29 15:39:17.800 AAA/AUTHEN (599265646): status = GETUSER TAC+: send AUTHEN/CONT packet id=599265646 TAC+: ver=192 id=599265646 received AUTHEN status = GETPASS 2005 Mar 29 15:39:18.300 AAA/AUTHEN (599265646): status = GETPASSPassword: 2005 Mar 29 15:39:20.890 AAA/AUTHEN/CONT (599265646): continue_login 2005 Mar 29 15:39:20.890 AAA/AUTHEN (599265646): status = GETPASS TAC+: send AUTHEN/CONT packet id=599265646 !The FAIL message indicates the either bad username or password invalid. TAC+: ver=192 id=599265646 received AUTHEN status = FAIL 2005 Mar 29 15:39:21.400 AAA/AUTHEN (599265646): status = FAIL % Authentication failed. 2005 Mar 29 15:39:21.400

Enable Password Authentication

To authenticate enable access to the switch after the user logs into the switch, set this up on the switch and on the Cisco Secure ACS Server.

Configuration Steps

The following steps are required on the switch:

Switch> (enable) set authentication enable local enable Switch (enable) set enable Enter old password: Enter new password: cisco Retype new password: cisco Password changed. Switch (enable) 

Switch (enable) set authentication enable tacacs enable Switch (enable) 

Troubleshooting Steps

Troubleshooting steps for the Enable password authentication are the same as for login authentication. Following are some of the important points to be aware of when using enable password authentication:

• Enable Authentication is not turned on on the switch Turn on enable authentication on the switch to use the TACACS+ server. By default, enable authentication with the enable password is turned on. If the TACACS+ server is down, enable password is used as a backup if the enable login with enable password is enabled.

• Enable Password is not defined on the CS ACS When configuring a user profile, either use the same password as the login or define a separate password for enable access under the "TACACS+ Enable Password" section. Also, you must define "Max Privilege for any AAA Client" under "Advanced TACACS+ Settings."

Authorization

Authorization comes after successful user authentication. There are two ways to perform authorization. The following sections explain how to perform the configuration and how to troubleshoot.

Configuration Steps

Two types of authorization can be configured on the switch. The first is TACACS+ Exec Authorization:

• TACACS+ Exec Authorization Just as with a router, it's possible to send the authorization request for the enable access before the switch allows the users to log in so that the user doesn't need to enter the enable password to get to the enable mode (the user will be taken directly to the enable mode). This applies to both the console and the Telnet session. Example 11-20 shows how to turn on exec authorization using TACACS+ protocol.

  Example 11-20. Turning on Exec Authorization

  Switch (enable) set authorization exec enable tacacs+ none both Switch (enable)

  You must configure shell/exec for the user profile under TACACS+ server.

  This is especially useful when you want to bypass the enable password authentication either locally or via the AAA server. It is also useful if you want to prevent users, such as PPP users, from logging into the switch without shell/exec service configured on the server. PPP users will get the following message:

  Exec mode authorization failed. 

  In addition to permitting/denying exec mode for users, users can be forced into enable mode when entering by having privilege level 15 assigned on the server. It is important to note that this feature is available on version 5.5(3), 6.1(1), and above.

  As stated previously, two types of authorization can be configured on the switch. The second is TACACS+ Command Authorization, which is discussed next:

• TACACS+ Command Authorization Command authorization is also possible on the switch just as it is with routers. Example 11-21 shows the configuration required for command authorization using TACACS+. In the event that the TACACS+ server is down, authentication is configured as none. Both keywords signify that command authorization is turned on for both console and Telnet sessions.

  Example 11-21. Configuration Required for Command Authorization

  Switch (enable) set authorization commands enable config tacacs none both Switch (enable)

  Once you turn on command authorization on the switch, you must configure the TACACS+ server for the command authorization to allow set port enable 2/8.

Troubleshooting Steps

Troubleshooting steps for authorization are the same as for authentication. If authorization fails, you must turn on the set trace tacacs 4 command to see the debug on the switch. You also need to analyze the log of the AAA server. This section explains the problems you may encounter specifically with the authorization configured on the switch:

• User is not taken directly to the Enable Mode On the switch, the authorization exec command must be turned on. Also, you must ensure that your switch version supports the privilege level download feature from the AAA server you are running, so that you can be taken directly to the enable mode after authentication. (See Table 11-3 for the version information of the TACACS+ Exec Authorization feature.) On the CS ACS, you must have the Exec turned on for the user/group profile with privilege level set to greater than 1.

• Command Authorization is not working First you need to be sure that the authorization is turned on either for exec or commands. Then check the configuration of the CS ACS to see if the system is properly configured for the commands. Run the trace command to identify the commands that are being parsed by the CS ACS server. Finally, match the command authorization syntax defined on the CS ACS server.

Accounting

Accounting can be turned on for authentication and for authorization. The section that follows has configuration and troubleshooting steps for accounting.

Configuration Steps

To turn on accounting on the switch with TACACS+ protocol, use the following options:

• To collect exec level log (for instance, user getting switch prompt), execute set accounting exec enable start-stop tacacs+.

• To collect the information about connection/disconnection information (for example, users' disconnection out of the switch), configure set accounting connect enable start-stop tacacs+.

• To capture system-related messages (for instance, a reboot of the switch), turn on set accounting system enable start-stop tacacs+.

• To capture which commands users are executing on the switch, issue the following command: set accounting commands enable all start-stop tacacs+.

• To remind the server of a task (for example, to update records once every minute to make sure a user is still logged in), configure set accounting update periodic 1.

Troubleshooting Steps

Accounting problems arise mostly if certain attributes are not being logged to the CS ACS server. For this, turn on trace to see what information is being sent as a form of accounting to the CS ACS server. Examining the log on the CS ACS server will reveal if the problem lies there or not.

Identity-Based Network Services (IBNSs)

Turning on dot1x protocol on the switch port also enables user authentication and machine authentication for the Microsoft Windows Networking environment. You can avoid machine authentication, but when using Microsoft AD, it's not recommended, as this may break the GPO model for AD.

Here are some important points to note when turning on machine authentication:

• The computer must be a member of the domain.

• If using TLS, the computer must obtain a certificate, either through auto-enrollment (see the case study) or manually.

• If using PEAP or TLS, be sure that the certificate of the certificate authority (CA) is in the local machine store; typically, it is added if the CA is up when the machine is added to the domain. If not, you can force the certificate to be in the local machine store via auto-enrollment (see the "Case Studies" section).

• Click the check box for the Authenticate as Computer option.

There are two ways to turn on machine authentication:

• Machine Auth Using PEAP Uses account information for the computer created at the time the machine is added to the domain. Hence, the computer must be a member of the domain. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate.

• Machine authentication using EAP-TLS Authenticates the computer using certificates. The computer must have a valid certificate. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate. The easiest way to implement machine authentication is by using MS-CA and Windows GPOs. This may require a DHCP lease renewal after authentication.

  Machine authentication using EAP-TLS is not automatic and must be scripted or done manually.

Configuration Steps

You need to configure several devices for successful PEAP Machine Authentication.

Installation of Certificate

The following are the certificates required for Machine Authentication with PEAP:

• On the supplicant, install a machine certificate from Active Directory (AD) (refer to the case study), and the CA Root Certificate as shown in the "Case Studies" section. The CA used is Microsoft Enterprise CA Server.

• On the ACS, install ACS Server certificate, and the CA root certificate. The procedures are shown in the "Case Studies" section.

Configuration of Authenticator (Switch)

On the Authenticator (Switch) follow these steps for Hybrid mode (Cat OS):

Switch# !RADIUS configuration set radius server <ip_address> auth-port 1812 primary set radius key <key> !Global 802.1x configuration set dot1x system-auth-control enable set dot1x quiet-period 10 (default: 30) set dot1x tx-period 10 (default: 30) set dot1x supp-timeout 5 (default: 30) set dot1x server-timeout 5 (default: 30) set dot1x max-req 4 (default: 2) set dot1x re-authperiod !Global 802.1x Guest VLAN (CatOS 7.6+) set dot1x guest-vlan <vlan> 

Switch# !Port Level 802.1x configuration set port dot1x <mod/port> port-control auto set port dot1x <mod/port> port-control force-authorized set port dot1x <mod/port> multiple-host enable/disable set port dot1x <mod/port> re-authentication enable/disable !Port Level 802.1x Guest VLAN (CatOS 8.3+) set port dot1x <mod/port> guest-vlan {vlan | none} 

Switch# !RADIUS configuration radius-server host <ip_address> radius-server key <key> aaa new-model aaa authentication dot1x default group radius aaa authorization default group radius aaa authorization config-commands !802.1x Global Commands dot1x system-auth-control dot1x max-req dot1x timeout quiet-period dot1x timeout tx-period dot1x timeout re-authperiod dot1x re-authentication IOS Commands based on Per-Port are shown below for Native IOS Switch# !IOS Per-port configuration dot1x port-control auto !IOS Per-port Guest VLAN dot1x guest-vlan <vlan> Switch# 

Configuration of Supplicant

The following steps are used to configure supplicant:

Configuration of ACS Server

The following are step-by-step procedures for ACS configuration for the PEAP Authentication:

Authorization

Dynamic VLAN can be assigned to the port after successful user authentication. This is accomplished with an IETF RADIUS AV pair. If the switch is running Native IOS, configure authorization with aaa authorization network default group radius to apply the dynamic VLAN downloaded from CS ACS. However, if you are running Cat OS, then you do not have to turn on authorization; authentication is sufficient. Following is the list of AV pairs used for configuring user or group profiles on CS ACS to assign dynamic VLAN to the port where the supplicant is connected:

• [64] Tunnel-Type "VLAN" (13)

• [65] Tunnel-Medium-Type "802" (6)

• [81] Tunnel-Private-Group-ID <VLAN name>

On CS ACS, if you do not see these attributes under user or group profile, then browse to Interface Configuration > RADIUS (IETF) and select the attributes in the previous list for a user or group or for both. Then go under the user or group setup and define the attributes as listed previously. For attribute [81] Tunnel-Private-Group-ID<VLAN name>, you must define a VLAN name, not the VLAN ID. On the switch, you must have the same name with a VLAN ID tied to it.

Troubleshooting Steps

The following troubleshooting steps may help you in isolating a dot1x implementation on the switch.

On the Windows Client

To get the debug level logging, follow these steps on the Windows client:

For more details on how to analyze the client log, refer to: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx

On the Authenticator (Switch) Side

On the switch you can run debug commands to see the EAPOL packet exchange between the client and the switch. The debug command to capture the information on the Catalyst OS is set tracing dot1x <0-15>. Note that 15 is a full debug, including packet dump. Be sure to turn it off once you are finished.

In Native IOS, the command to turn on debug is debug dot1x <backend | fesm | besm | CR>, which turns on debugging for the authenticator process. To capture the debug output of the communication between the Authenticator (Switch) and the AAA Server, run the AAA-related debug command, which was discussed in the "Diagnostic Commands and Tools" section of this chapter for Cat OS. For Native IOS, refer to Chapter 9, "Troubleshooting AAA on IOS Routers."

Example 11-25 shows a successful authenticated debug output on the switch.

Example 11-25. Successful debug Output Session When PEAP or EAP-TLS Is Used

2005 Mar 29 00:52:13 %PAGP-5-PORTTOSTP:Port 2/2 joined bridge port 2/2 ! Authentication is starting here.. 2005 Mar 29 00:53:05 %SECURITY-7- DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/ 2 is AUTHENTICATING 2005 Mar 29 00:53:05 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:06 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:08 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:08 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:10 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:10 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:11 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:11 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:12 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:12 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:13 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is SUCCESS 2005 Mar 29 00:53:13 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is FINISHED 2005 Mar 29 00:53:13 %SECURITY-5- DOT1X_AUTHENTICATION_SUCCESS:Authentication successful for port 2/2 !Port is successfully authorized here, which means actual traffic from supplicant may !flow now 2005 Mar 29 00:53:14 %SECURITY-5-DOT1X_PORT_AUTHORIZED:DOT1X: port 2/2 authorized 2005 Mar 29 00:53:14 %SECURITY-7- DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/ 2 is AUTHENTICATED 

On the Authentication Server Side

The AAA server, for instance Cisco Secure ACS on Windows, has an extensive logging facility, which allows you to analyze the failure by the server or an external user database. For more details about server-side troubleshooting, refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows," in particular the section on "CS ACS with Active Directory Integration." In summary, you need to go under Reports and Activity and then to Failed Attempt. For a more detailed analysis of the log, analyze the auth.log file, which is explained in detail in Chapter 13. Example 11-26 shows the RDS.log file logging output.

Example 11-26. RDS.log for Successful Authentication When PEAP/EAP-TLS Is Used

! Following shows the packets and RADIUS attributes received from the Switch Request from host 10.1.1.1:1812 code=1, id=245, length=99 on port 2341     [001] User-Name   value:  eaptls@acs.cisco     [004] NAS-IP-Address     value:  10.1.1.1     [012] Framed-MTU   value:  1000     [079] EAP-Message   value:  .....eaptls@acs.cisco     [080] Message-Authenticator        value: 6A 0A E3 64 4C D3 19 F2 AB 66 BB 0E 78 B5 CD 1A ExtensionPoint: Initiating scan of configured extension points... ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF) ], skipping... ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP] ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [11 -  challenge] ! EXTRA STUFF REMOVED Request from host 10.1.1.1:1812 code=1, id=251, length=112 on port 2341     [001] User-Name   value:  eaptls@acs.cisco     [004] NAS-IP-Address     value:  10.1.1.1     [012] Framed-MTU   value:  1000     [024] State        value:  CISCO-EAP-CHALLENGE=0.202.77.6     [079] EAP-Message  value:  .\Q....     [080] Message-Authenticator        value: 78 7F 6F 6E E2 65 D7 47 87 78 34 C0 3D FB 52 1A ExtensionPoint: Initiating scan of configured extension points... ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF) ], skipping... ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP] ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [4 -  accept_continue] ExtensionPoint: Start of Attribute Set     [079] EAP-Message  value:  .a..     [026] Vendor-Specific vsa id: 311           [016] MS-MPPE-Send-Key         value:  ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.     [026] Vendor-Specific vsa id: 311           [017] MS-MPPE-Recv- Key    value:  #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..__>__xë ExtensionPoint: End of Attribute Set AuthorExtensionPoint: Initiating scan of configured extension points... AuthorExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)], skipping... AuthorExtensionPoint: Supplier [Cisco Downloadable ACLs] not associated with vendo r [RADIUS (IETF)], skip ping... ! The following lines are the RADIUS response packet with AV pair after successful ! authentication Sending response code 2, id 251 to 10.1.1.1 on port 2341     [064] Tunnel-Type   value: [T1] 13     [081] Tunnel-Private-Group-ID   value: [T1] 2     [008] Framed-IP-Address    value: 255.255.255.255     [079] EAP-Message  value:  .a..     [026] Vendor-Specific vsa id: 311           [016] MS-MPPE-Send-key         value: ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.     [026] Vendor-Specific vsa id: 311           [017] MS-MPPE-Recv-Key         value:  #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..___(_>__xë